In another two years, the “digital underbelly,” or cybercrime, will near $6 trillion in damages. This is not collateral damage; it’s $6 trillion worth of opportunities lost to subpar application security. These damages extend beyond the financial realm into customer trust – depleting the currency that digital goes by. A security lapse could even sound the death knell for some companies.
This situation is due to a skewed focus on application development that sidelines security. Even when Agile methodologies such as DevOps contribute to a more rigorous application development process, security often remains firmly in the purview of the traditional waterfall approach.
Moreover, security is often entrusted to enterprise IT teams that treat it as an infrastructural component rather than an application design element. Rudimentary measures such as firewalls that guard the borders are deemed sufficient. This approach fails when applications are hosted in environments that extend beyond enterprise IT, such as the cloud, containers or serverless computing platforms. In fact, if security is not on the agenda, the first hurrah around successfully applying DevOps in digital could well be the last.
DevSecOps: Fine-tuning DevOps for Digital
As organizations modernize their approach to application development, security cannot remain as an afterthought. Applications modeled on a digital architecture, technology and design put traditional security assurance practices on notice. The answer is DevSecOps, which takes a proactive stance by embedding security into the DevOps cycle and encoding security into the application, thus rendering it difficult to penetrate.
With DevSecOps, teams address vulnerabilities much earlier, rather than firefighting them a later stage. It turns security into a key business requirement, ensuring secure applications are built from the ground-up, the first time.
For example, in the continuous deployment world, developers automate the creation and deployment of multiple environments, and if DevSecOps is not implemented, security vulnerabilities may go unnoticed for extended periods of time, delaying time to market later on. Because DevSecOps integrates security in every software iteration, every time software is released to a production environment, the organization can evaluate the security vulnerabilities in the early lifecycle and address it.
Pivoting to DevSecOps
To put the cogwheels in motion, enterprises need to view security as inherently crucial to success. This requires a significant shift within teams, in terms of their agenda, modus operandi and culture. Here are some ways more mature DevOps teams can pivot to DevSecOps:
- Team structure: In a highly demanding DevOps pod, it could be counterproductive to make developers responsible for security. Nonetheless, secure code must be on the agenda. Organizations can consider realigning the pod structure to include a security expert to assure security iteratively, or – if the pod is already saturated – they can instate a separate pod of security experts to incrementally review and assess multiple applications from a security standpoint.
- Process realignment: DevSecOps moves security to a shift-left testing approach, which requires teams to deconstruct security assurance through such mechanisms as SAST/DAST (static/dynamic application security testing) tests, which identify vulnerabilities at the code level. Such approaches help create secure applications from a design standpoint and eliminate many siloed validation processes by enforcing more robust and automated execution. These security validation streams (involving design, pre-deployment, post-deployment and production) can integrate seamlessly with the DevOps process to kick-start a DevSecOps initiative. These tests can automatically flag vulnerabilities, enabling teams to take remedial steps to ensure minimal impact to the application.
- Tool landscape: To optimize DevSecOps, teams need automated security assurance. Security validation tools such as Metsploit, Core Impact, Immunity Canvas and ZAP can be integrated with the DevOps tool chain to increase automation coverage and maintain agility.
While it’s possible to build DevSecOps capabilities from the ground-up, a faster approach is to leverage open source platforms that orchestrate security expertise, processes and tools for speed-to-market advantage. We’ve implemented a vulnerability scan solution for a large cruise channel by integrating OWASP Zed Attack Proxy, one of the most popular free security tools, with the company’s enterprise DevOps. This addressed a critical challenge of isolated and incomplete security testing that resulted in vulnerabilities being uncovered in production, leading to reduced time to production and early vulnerability detection.
The Last Word
In the end, organizations must understand and appreciate the bargain they strike with customers – convenience and curated experience in return for use of their data. But they need to uphold their end of the bargain by ensuring customer data is protected against malicious attacks that exploit security loopholes.
Any security attack is damaging to both the enterprise and its customers, and the reparations often fail to mitigate the loss. Damages such as $6 trillion don’t even begin to make a mark. In the end, the old adage holds – better safe than sorry – especially when there are ways to ensure that safety.